The Many Goals and Roles of a CISO

The CISOs of the world, particularly those in large organizations, often sit high above the daily operational fray of systems management. They stay out of the wild, so to speak, of technical administration and compliance activities. Their days are frequently consumed with reacting to various issues and the management of policies, projects and personnel. They are also heavily engaged in instilling a culture in the organization that respects privacy and security, motivating sound decisions and appropriate actions.

These activities are, of course, vitally important in supporting the overall CISO mission of protecting the information, technology and services of the organization. It is quite natural for CISOs and their teams to be very adamant about the need to follow the various policies, guidelines and best practices, and the need to maintain high levels of operational compliance.

There is also a general reluctance to accept any pushback regarding established rules and their related compliance requirements. I imagine there are many times when one has been involved in a discussion, on one side of the table or the other, regarding why a certain requirement was not completed or why someone feels it is not feasible to adhere to a particular aspect of the policy. The short answer from the information security team is often: “It is a requirement; just make sure it is done.”

Walk a Mile in IT’s Shoes

While it is certainly true that the CISO role is challenging and demanding — for example, ensuring crucial security management capabilities are in place — so, too, are the roles that bear the direct responsibility for maintaining operational privacy, security and compliance of the environment. How often do we see a CISO in the wild, actually going through the processes that they demand of typical system administrators?

There is no better way to fully understand what your community goes through than to experience it for yourself. Recently, I was presented with an opportunity to do just that.

As I was consulting on system and security requirements for a new proof-of-concept (PoC) service from one of our research groups, I decided to further assist the team by taking on the initial setup of the new server from scratch. I would be going through the litany of server-related activities firsthand, from installation and registration to configuration and validation. I would personally utilize the various tools available and hopefully end up with a system compliant with our internal standards.

Behind the Server Deployment

I think a bit of additional background information is warranted here. The organization that we support is primarily focused on research and development (R&D). While there are some production-level hosting environments, the vast majority of systems are nonproduction. Our R&D workload can have significant variability when it comes to the needs of individual projects. Couple that diversity with a high rate and pace of change, and you have an environment that is frequently not conducive to standardized system images and common tooling.

I started off with a base Windows server image in our cloud hosting environment and then established some basic filtering in the Windows and network firewalls. A couple of the initial required registration tasks for the new system were relatively painless, although it would have been preferable to have them consolidated into a common tool. With the system now registered in the IT server database and the DNS service, it was time to move on to the installation of the required agent for endpoint management.

Making Installation a Reality

Installing the endpoint protection agent was a bit more involved, given the network compartment where the server was deployed. However, with some simple network filtering changes and mild modifications to the installation process, the agent was installed and operational. The solution was then used to easily push out the installation of the required antivirus application and deploy various patches for installed components.

Now the fun really kicked in, as I took the security policy document and began to work through the specific configuration requirements for a generic Windows server. The relatively specific configuration requirements, with over 100 items to confirm or change, took a considerable amount of time and effort.

Granted, there was a learning curve aspect to this for me personally, as I’m not a Windows system admin by trade. However, it was easy to see how time-consuming it is to perform these steps manually, even for a skilled admin. I realize that some automation could be added here, and there are some groups that do leverage automation for their projects, but there are still numerous situations where it is not currently available.

The fun continued as I moved on to work with the various compliance validation tools. I needed to get a bit more familiar with operating the console, but soon I was able to view and start addressing any configuration items that I may have missed and document false positives. I did the same with the results of the network vulnerability scanning tool.

Iteratively making changes and checking results during this phase also took a considerable amount of time. Once again, leveraging automation here would be highly desirable. I will also point out that, in general, our organization has made excellent use of the solution to significantly accelerate compliance activities.

The network infrastructure and security areas often create additional complications for server administrators when it comes to the enablement of IT services. However, in the case of this particular PoC server deployment, the impact was minimal.

The End Result

I am happy to report that I was able to establish an initially compliant nonproduction base server environment. I interacted with seven different environments and tools in order to successfully complete the task and expended a considerable amount of time and effort. I do have to point out that the actual Web application for this particular server was not yet installed. This will bring with it — you guessed it additional security and compliance activities. For now, I will leave this next phase of the deployment to the true technical professionals.

As I had hoped, this exercise turned out to be a valuable experience, and I look forward to the opportunity for similar experiences going forward. I now have a more intimate understanding of the process, procedures and tools related to security and compliance from the perspective of those who are immersed in them every day.

This has the advantage of increasing the effectiveness of the interaction and collaboration with the community, as well as improving the focus and effectiveness of future changes that we introduce in the areas of privacy, security and compliance. Perhaps in the future, sightings of a CISO in the wild will not be such a rare occurrence.

More from CISO

CEO, CIO or CFO: Who Should Your CISO Report To?

As we move deeper into a digitally dependent future, the growing concern of data breaches and other cyber threats has led to the rise of the Chief Information Security Officer (CISO). This position is essential in almost every company that relies on digital information. They are responsible for developing and implementing strategies to harden the organization's defenses against cyberattacks. However, while many organizations don't question the value of a CISO, there should be more debate over who this important role…

Everyone Wants to Build a Cyber Range: Should You?

In the last few years, IBM X-Force has seen an unprecedented increase in requests to build cyber ranges. By cyber ranges, we mean facilities or online spaces that enable team training and exercises of cyberattack responses. Companies understand the need to drill their plans based on real-world conditions and using real tools, attacks and procedures. What’s driving this increased demand? The increase in remote and hybrid work models emerging from the COVID-19 pandemic has elevated the priority to collaborate and…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

6 Roles That Can Easily Transition to a Cybersecurity Team

With the shortage of qualified tech professionals in the cybersecurity industry and increasing demand for trained experts, it can take time to find the right candidate with the necessary skill set. However, while searching for specific technical skill sets, many professionals in other industries may be an excellent fit for transitioning into a cybersecurity team. In fact, considering their unique, specialized skill sets, some roles are a better match than what is traditionally expected of a cybersecurity professional. This article…